Piracy is a long-standing issue for most, if not all, software publishers. Way back in 1976, when computers were solely the domain of businesses and hardcore hobbyists, a young Bill Gates railed against people stealing Altair BASIC, software he had written with Paul Allen and Monte Davidoff. (The letter in full can be found here.)

In those days protection mechanisms were unheard of. There were no holographic install media or licensing validation servers. Copying a program was as simple as copying the contents of one floppy disk to another. In this piece I’d like to discuss software piracy not as a moral or legal matter but simply as a security issue and as a complicating factor when working on a client’s system.

When written, computer code is simply text that defines a list of actions to be performed. If you are familiar with the programming language it is possible to read the text and follow how it works (the flow of execution) in your head. In this form it is called source code. In order for the program to run it must be converted into a form that the computer can work with: commonly termed a binary.

In open source programs, both source code and binary are available to download. Those with the relevant skill can read and modify the code. Proprietary programs however are closed source: the binary, in the form of an executable file (MyAmazingProgram.EXE) is available but the text files of readable computer code are not.

Without source code, every time you install a piece of software, you trust that the authors have not included any malicious code. In open source systems, the non-technical rely on those higher-mortals who can read the code to do so and spot nay nefarious activities. For the more paranoid users however, binaries are anathema: the only way they will install programs is by downloading the source code and compiling the executable binary themselves.

Closed source systems have normalised the idea that end users should not know what they are installing beyond its name and the publisher’s description of what it does. This has helped to prepare the ground for two forms of piracy in particular, the cracked .exe file and the key generator.

The major forms of bypassing validation are:

Volume Licensing Key

This is where a large corporation buys a large number of licenses for a particular piece of software but the key is released to the public. One particular instance which comes to mind is the Windows XP VLK which was compromised and widely distributed online.

Key Generator

This is a tool which generates a serial which is indistinguishable from an official key. This is done by working out how official keys are generated (usually a fairly straightforward algorithm) and then replicating that process.

Cracked Executable File

This final method is far and away the most fraught with danger. The idea is that the executable file that starts the program running is replaced with one which has had its protection mechanism removed.

Both the key generator and the cracked executable require you, the user, to run them and, if necessary, grant them permission to do so. As was noted in an earlier piece, though not involving pirated software, this granting of permission is where virus and other kinds of infections can begin. Ironically, it is better, in this situation, to be infected by something immediately evident, such as one of the fake anti-viruses (20445 INFECTED FILES FOUND!!! EXTREME WARNING!!! PAY NOW TO CLEAN YOUR SYSTEM!!!!) than to be silently monitored by a keylogger, crafted to harvest your personal details.

The complicating factor for anyone working on a computer that has pirated software installed is that genuine software problems can be confused by symptoms from an infection or from a badly coded cracked executable. Computers are complicated enough running legitimate software from reputable vendors without the introduction of poor quality code with questionable purpose.

There is a large ecosystem of free and open source programs to obviate the need for pirated software. A list of alternatives to paid for software is maintained at www.alternativeto.net.

UPDATE 18/3/13: If you have recently been infected by this malware please contact us via the contact page or Facebook. We are looking for a working version to examine 🙂

The infection started with a link sent, via a major social network from a friend’s account which had been compromised, with a comment designed to provoke curiosity in the person receiving it. It read, “Haha, you’re famous now, lol!” The link led to a webpage designed to resemble YouTube. On arriving, a notification popped up to say that flash player was out of date and offered to install the update. Accepting the update, instead of Flash, it installed a trojan horse computer program. Trojans give attackers an entry point into their victims’ computers. They work much like a burglar who, having gained entry by some means, switches off the alarm and unlocks the front door so their accomplices can get in. They are generally the start of a much larger infection as they can be used to download further malware onto the victim’s computer. As part of its installation routine, this trojan also installed an innocuous sounding file in an innocuous sounding folder. Take note of this file, it will be important later.

This particular trojan was a variant of Gen.Siggen, and installed itself as LSSASR.exe in the \Windows\SysWOW64\ folder, which is home to 32bit system programs which run on 64bit systems. Once it had turned off the firewall, it proceeded to download various other malware which I successfully removed using a combination of standard removal tools. With these secondary infections taken care of, I used an invaluable program called rkill to identify and kill malicious processes and which duly identified LSSASR.exe and stopped it running. I deleted the LSSASR.exe file and rebooted, fully expecting to see the virus scanner return a clean bill of health. And indeed, when the desktop was back up and I ran rkill again, it returned “no malicious processes found”. A few minutes into a malware scan with no warning notices, I was reassured, thinking that the enemy was bested and it was time to put the kettle on. Then, MSSE popped up with a notification that it had found an infection and was trying to clean it. It was LSSASR.exe again.

When I tried to remove it I got a notice that LSSASR.exe couldn’t be deleted because it was in use by the Java binary, a legitimate program for running Java programs. My initial thought was that the Java executable may have been infected so I stopped the process, deleted LSSASR.exe and uninstalled Java completely before reinstalling it from a trusted source. Upon rebooting, the same sequence of events occurred:

a few minutes after getting to the desktop, the firewall was switched off.

a fresh copy of LSSASR.exe would appear in SysWOW64.

MSSE would find LSSASR.exe and try to clean the infection but fail

In a moment of clarity I realised that LSSASR.exe was itself a symptom, not the cause. I still needed to find out what was starting it all. Something was waking up after start-up, and when it found that LSSASR.exe was missing, copied a new one over and set it running. I opened up the list of programs set to start automatically and checked through them but missed it at first because it seemed so innocuous. It eventually caught my eye: javaw.exe, set to run that file I mentioned earlier, which went by the name of 16a09g1, located in

\Windows\Config\local\AppData\Google\

This file’s sole purpose, as far as I can tell, was to check that the machine it ran on was infected and if not, to re-infect it. The original infection process created the folder structure and placed 16a09g1 into it. It then added a line to the list of start-up processes that read: javaw.exe (which runs silently) will execute 16a09g1 every time the computer starts. 16a09g1 then checks if LSSASR.exe exists in SysWOW64 and if not, copies it over and starts it running. Once LSSASR.exe is running, it can open connections to remote servers, download other malware programs, or simply sit and listen for commands from the person who installed it.

The malware evaded security through a simple mechanism. The file that started the process, 16a09g1, didn’t have a known signature so it wasn’t flagged by any of the multiple scanners I used, though they caught the secondary infections. The key to the cure was simply that the command in the list of start-up items which set the re-infection process going was suspicious enough to catch my attention. Unfortunately, I securely deleted both the original infection file (the flash updater) and 16a09g1 before realising that I should have disassembled them to try and see exactly how they work. By the time I got around to asking for the original link, however, the webpage that had hosted it had been taken down, presumably by the social network itself once it was found to be serving malware.

If you think your computer may have contracted a virus, get in touch. We are available via the telephone numbers listed above, email and Facebook.

A client in Llanberis called with a curious problem: on starting up, her laptop, an Inspiron 6000, would show a black screen with a flashing cursor at the top left of her screen and then stop. Okay, sounds like maybe some hardware has stopped working or some sort of malware has deleted some files it shouldn’t have. I would need to check the hardware first and then software.

On every non-Apple computer there is a BIOS (Basic Input-Output System), a small computer program on a chip which, whenever you press the on button, checks that certain hardware is working (the Power On Self Test). It checks that there is memory and that it works, that the graphics chip or add-on card is working, that the keyboard and mouse are attached and primes them all ready for running. If there’s a problem, it will beep at you. The number of beeps and whether they’re long or short or the mixture of long and short is used to identify the precise problem. For instance, a recent laptop I looked at had seven long beeps which meant that the graphics chip or motherboard was fried.

The lack of beeps convinced me that at a certain level, the hardware was working but I checked in the BIOS to be sure. I missed it at first but the hard drive was seen as 137GB even though it was a 160GB hard drive. The issue was that the laptop came of age before a thing called 48bit Large Block Addressing and instead used 28bits. Think of it as trying to uniquely identify boxes using three-digit numbers – once you reach 999, you have no more unique numbers. With 48 bits, you can give addresses to more boxes. When data piled up and over the 137GB limit, the hardware got confused and simply could not address the amount of space that was in use and so stopped.

The answer was to split the hard drive into two sections, one for Windows’ system files and another for the user’s files. The BIOS then saw the hard drive as two separate drives and quite happily booted up.

If you’re computer isn’t working the way you’d like, get in touch. We’re available via telephone, email or Facebook.

A curious problem this week from a client in Waunfawr, Gwynedd. I had previously installed a router that my client had bought to improve the wireless signal and coverage. Everything was working well except for one laptop which had problems connecting via wireless. It found the wireless network and could connect but whilst it listed the network by name, it was also marked as an unidentified public network. There is a lot of confusion over this as it appears to be a fairly widespread problem with just as many possible solutions, ranging from setting a static IP address to disabling LMHOSTS (neither of which worked in this case).

After some head-scratching it was found to be an outdated wireless card driver. In circular fashion, the wireless card needed an update in order to connect to the wireless network but couldn’t update because it couldn’t connect to the wireless network. The solution was to connect the laptop to the router using an ethernet cable and update the wireless card driver.

11 Jun 2013 UPDATE: This Tardis-like item has shown up in the village. The new, larger, faster, cabinet to house the new, larger, faster internet connections. More updates as events unfold.

Big, fast and shiny!

9 Jun 2013 UPDATE: As I posted on Facebook, I came face to face with a real life BT Openreach engineer who confirmed that they were putting the fibre optic cable in from Brynrefail to Llanberis. Read about it here.

8 May 2013 UPDATE: SamKnows now has a Ready for Service date of September this year for Fibre to the Cabinet in Llanberis. This could mean that speeds are going to increase dramatically (as long as FTTC means the little green cabinet on the High Street and not merely the exchange in Brynrefail).

13 March 2013 UPDATE: It could be that the infrastructure for fast, reliable internet connections is coming to Wales (especially Llanberis). The details are a bit blurry currently but Superfast Cymru is a WAG/UK government sponsored project with the aim of improving the state of Welsh internet connections. Fibre optic connections are to be rolled out over the next few years, with Gwynedd being part of the 2013/14 schedule. You can register your interest at Superfast Cymru.

One of the big issues facing everyone living and working in Llanberis is the slow speed of our internet connections. The problem is due to the nearest exchange being over in Brynrefail. There is roughly two and a half miles of twisted-pair copper cables between our home routers and the infrastructure that connects to the internet. When they were rolled out, these cables were intended simply for voice calling, internet connections is something they are unsuitable for but have been pressed into. BT’s Openreach website states that Brynrefail exchange is “Not currently in rollout plans” (check your postcode here). The list of exchanges to be converted to fibre goes up to 2014 so at the very earliest, it may be 2015 before it reaches us. So the chances of superfast network connections coming to Llanberis look decidedly remote. Read more ›

I was recently contacted by a client in Llanberis who had accidentally closed an unsaved excel spreadsheet which contained a whole morning’s work. He had lost it all and was looking for a way to get it back. Unfortunately this is not possible (a fuller explanation is below) but I’d like to share a trick to prevent this from happening to you. Read more ›

Chances are, if you bought your laptop from new or if you’ve needed to re-install recently, you have a lot of junk software installed. Trial-ware for cloud backups, anti-viruses, games, DVD burning studios, the list goes on and on. All with the intention of getting you to sign up and pay for something you would never have missed had it not been there. Manufacturers are paid by the software makers for each machine their wares are installed on. What is most galling, though, is that hardware manufacturers make such software part of the restore image partition so that when you re-install your operating system, the junk software gets re-installed with it. Read more ›

How loud is your PC? Does it run with a barely audible whisper or does it sound like a jet fighter taking off? In order to keep prices down, many manufacturers use cheaper components, not geared for quiet operation. One of the biggest issues for PCs is getting rid of the heat that the internal components produce. The major culprits are the processor, power supply, graphics card and hard drive. It is the process of removing the heat these components generate, by use of spinning fans, that causes the most noise. The first issue is to discover if the noise is the result of normal operation or if there is something else at fault. Read more ›

After a long time prevaricating, we are now on Facebook. You can find us here. The page is pretty bare at the moment but I will be adding lots of intelligent, perceptive and possibly humorous content in the near future. Like if you like!

Whatever your computer or laptop problems, we’d love to hear from you. Call us now on the numbers above.

One of the things that makes Firefox shine above other browsers is the eco-system of add-ons that has risen around it. The web has become a breeding ground for businesses whose sole purpose is to watch what you do online. In this post I’ll show you my essential add-ons for Firefox to help make the web safer, more secure and a generally nicer place. Read more ›